The attackers spent $1,400 on the black market for the details of 14 known, but not patched, bugs in WebKit. They then devised a way to use them to gain full “root” access to a device and built a complete system that would use those powers to install a remote access tool, or RAT, app that they had seized from China-based hackers.
“Nation states like Russia and China are active in developing RATs, and if we can do [this] in a few weeks, they certainly can as well,” said Dmitri Alperovitch, CrowdStrike’s chief technology officer. The RAT in the demo was a conventional app with elevated privileges that could potentially be detected by security apps available for Android, he said, but given more time, it would be possible to use the same methodology to install very hard-to-detect “rootkit” software invisible to such tools.
Kurtz tried to end on something of a positive note, saying, “the sky’s not falling. These are very targeted attacks.”
Preventing attacks like the one demonstrated on stage requires more frequent updates to mobile operating systems, said Kurtz. However, doing that is far from easy, because wireless carriers, device manufacturers, and mobile operating system providers must all be involved. As a consequence, most mobile devices today receive updates very rarely.